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We investigate a graphical representation of session invocation interdependency in order to prove 
progress for the 7T-calculus with sessions under the usual session typing discipline. We show that 
those processes whose associated dependency graph is acyclic can be brought to reduce. We call 
such processes transparent processes. Additionally, we prove that for well-typed processes where 
services contain no free names, such acyclicity is preserved by the reduction semantics. 

Our results encompass programs (processes containing neither free nor restricted session chan- 
nels) and higher-order sessions (delegation). Furthermore, we give examples suggesting that trans- 
parent processes constitute a large enough class of processes with progress to have applications in 
modern session-based programming languages for web services. 

1 Introduction 

Due to fast-growing technologies and exponential growth of the Internet and the world-wide web, com- 
puting systems and software based on communication are becoming the norm rather than the exception. 
In particular, Web Services (WS) is today a crucial ingredient in many such systems. The W3C, the 
world-wide web's governing body, defines WS as "a software system designed to support interoperable 
machine-to-machine interaction over a network" [18 ]. Abstractly, we think of WS as running processes, 
each identified by some name, which can be repeatedly invoked by clients or other services. Such an 
invocation spawns a new thread of the service which handles the actual interaction between service and 
client. This interaction, a sequence of input-output operations, is often referred to as session. 

Recently, sessions have been the subject of intense research. Most pertinent to the present paper, 
calculi for concurrency have been equipped with typing system ensuring session safety (6l [T7J |TT]| . Such 
session typing systems have in turn given rise to a host of programming languages using session types to 
control concurrency, e.g., lfT2l[T6l[T4li to cite a few. Such languages derive their strengths and practicality 
directly from our theoretical understanding of the underlying calculi. 

One class of theoretical problems with direct ramifications for programming languages is that of 
ensuring progress of sessions, that is, statically ensuring that protocols do not inadvertently get stuck or 
deadlock |[T0l [8ll9ll2l. In the present work, we investigate a graphical representation of session invocation 
interdependency and exploit its properties for proving progress. As a result, we identify a new class of 
processes, which we call the transparent processes. This class advances the state of the art in two 
directions: (1) it includes processes not hitherto identified as having progress and (2) it is characterised 
by a simple syntactic criterion which requires no special-purpose typing system or inference and is 
computable in linear time with respect to the number of nodes in the abstract syntax tree of a process. 
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(the Jingling Genies projects). Authors are listed alphabetically by last name. 
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We shall argue that the class we consider has specific practical motivation and, in combination with (2), 
it thus seems to be of potentially direct practical importance. 

In session-based systems such as WS, caller and callee play central roles. Traditional calculi take a 
completely symmetric approach to such roles. We claim that this approach is perhaps not fully aligned 
with the practicalities of WS: the communicating parties, clients and services, are not equal but rather 
inherently asymmetric. Whereas clients can be anything, services must be mutually independent. Thus, 
we shall assume that a service can never depend on previously opened communications. This assumption 
leads us to the class of transparent processes, while simultaneously assuring practical relevance. 

Formally, we work in a TT-calculus with sessions and session types a la ifTTI . In this model, the 
above assumption becomes simply that no service contain free session channels. This assumption is 
by itself sufficient to guarantee progress, without any extra constraints on well-typed processes. Addi- 
tionally, the progress result of the present paper actually goes beyond such self-contained services i.e. 
transparent processes are a larger class than just closed services. Technically, we adopt a near-standard 
session-typing discipline similar to the one used in (6j Q. That services cannot rely on already open 
communications is reflected by the following only non-standard typing rule for services. By example: 



(T-Serv) 



T, buy : (a) h 


P > 


k : a 




r, buy : (a) h 


buy (k).P 


> 






Above, we have framed those points relevant to the discussion. The term buy(&). P denotes a service 
named buy which, upon invocation, will create some private channel k and use it in its body P for 
exchanging messages with the invoker. The typing rule says that the body P has access only to the new 
session k (expressed in the premise as k : a where a describes how k will be used in P), and not to any 
other previously opened session. Technically, this is just a small restriction to standard session typing 
IfTTI . thus any process typeable in the present system will be typeable in the standard one. On the other 
hand, this restriction is practically reasonable [6]. 

The central idea for proving the progress property is to focus on the development of session de- 
pendency graphs, first introduced in Q. These capture the key intuition in our transparent processes. 
Whereas much work in progress on deadlock works essentially by ordering the sequential use of chan- 
nels (e.g. lfl3l l9ll3"TD. the present work, qua the session dependency graph, works instead by ordering the 
running threads of a system by their pairwise sharing of sessions. Consider the following example; we 
call prefixes in a parallel composition threads: 

kl(x).k'\(x) | jfc!(5) | k'l(y) 

1 2 3 

Above, thread 1 receives a value on session channel k and then forwards it to another session k! . Thread 
2 sends value 5 on session k while thread 3 waits for a message to be sent on session k! . Each of the three 
processes above represents a node in the session dependency graph. Moreover, an edge between two 
nodes is in the graph whenever their corresponding processes share a free session channel. Graphically: 

k k^~ik' 




The transparent processes are simply those processes which have acyclic session dependency graph 
at every sub-term. Acyclicity at top-level is enough to guarantee the absence of immediate deadlock; 
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acyclicity at every sub-term ensures that this deadlock-freedom is preserved by reduction. While the 
session dependency graph approximates session interference and interdependency in a powerful and 
intuitive way, the acyclicity of the session dependency graphs is at heart a simple syntactic property, 
easily checkable in linear time by considering the free names of a process. 

Related Work. Progress has been investigated for a variety of calculi for web services e.g., in [Q~1|3]|U 
and, for session types, it has spawned several lines of research. The present paper takes as its starting 
points [9] and [7]. In particular, the former gives a progress result for a class of well-typed processes 
identified by a particular typing system based on finding an ordering of channel usage, in contrast to 
the session dependency graph ordering threads. Importantly, [9 ] allows service channels to be restricted, 
something that we do not presently. However, transparent processes are neither a subset nor a superset of 
the processes characterized in [9 ] . We clarify the key differences with some examples. First, the process 

buy(*).ihW).*>{ ° k: f;^l^ Xaddr \) (i) 

,XW FV ; 1 abort: £'!(null). £?(x reason ) J 

denotes a service buy which, upon invocation, creates the session channel k, then calls service ship and 
finally branches (with labels ok and abort) on k. The two branches differ by the order in which k and 
k' are used. This process is transparent, and thus has progress (in a context with a suitable invocation 
buy(&) and service ship(&')). However, because of the inconsistent orderings on the use of channels in 
the two branches (communication on k then k! in one, k! then k in the other), the typing of [9 ] rejects this 
process. Second, the process 

buy(£).jfc?(x card ).serv(^).jfc'!(5) | buy(£). serv(fc'). £'?(?).£! (card) (2) 

consists of the parallel composition of a service buy and a client. Service buy, expects to receive credit 
card details on its private channel k for a payment, and then spawns some service serv which sends some 
value (5 in this case). However, the client expects to pay after it has used the service i.e. it will invoke 
immediately serv after invoking buy. Payment is done eventually after the service is used. Notice that, 
if run on its own, the process will get stuck. However, if provided with the right context, it progresses 
simply because it will reduce in the presence of another suitable service s. Again, in 0, this term is 
rejected because of the inconsistent order in which buy and s are used. In this work, this process is 
transparent, and thus has progress. 

Other approaches to progress for session types include iflOl [H, which considers models featuring 
synchronous/asynchronous session types for object-oriented languages. In particular, iPTOl also exploits 
the assumption that a service cannot rely on already open communications. However, in that work, a 
delegation k([k']) . P is well-typed only if P does not contain further uses of k. That is, a process can truly 
only ever participate in one session at a given time. In contrast, while we insist that services at the outset 
do not reference open sessions, a service may evolve through delegation to participate in many sessions 
at the same time. A case in point is ([T]) above. 

In |3, a typing system ensures progress for multiparty session types where sessions may involve 
more than two participants. Unlike our result, the aforementioned works introduce extra typing for 
guaranteeing progress of programs. However, because of asynchronous communications, limitations as 
the one described in the previous paragraph are present only for processes receiving a delegated channel. 

The present paper expands in several directions the session dependency graphs introduced in Q. 
First, the graphs in [7 ] address a different language dealing with exceptions and do not handle higher- 
order sessions (delegation). Second, whereas [7] treated only programs, the present work takes the much 
larger class of transparent processes. 
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Contribution of the paper. The main technical contribution of this paper is the investigation of ses- 
sion interdependency graphs and the identification of a class of well-typed processes with progress, the 
transparent processes. This is an interesting class because: 

1. it is potentially practically relevant: as explained above, it is a natural model of WS; 

2. it is simply characterized by acyclicity of its session dependency graph, a syntactic condition, 
checkable in linear time. No special typing system is necessary; 

3. it includes new processes not identified as progressing by known methods. 

This contribution is relevant to programming languages based on session types, e.g., lfl2l . as it gives a 
simple syntactic means for ensuring progress for protocols implemented in such languages. 

Outline of the presentation. We present the 7i-calculus with sessions in § [2] and introduce a slight 
variation of session types in §[3j §[4] introduces session dependency graphs while §[5] defines the class of 
transparent processes, and prove that this class is closed under reduction. §[6]proves that every transparent 
process progresses, and, as a corollary, that so does every program. We conclude in § [7] For space 
reasons, some (parts of) proofs have been omitted and moved to the appendix of the online version [5]. 

2 A ^-calculus with Service Oriented Sessions 

We introduce a variant of the 7r-calculus with sessions ifTTl ITTTl which outlaws restriction on public 
channels, and allows replicated behaviour only for services. 

Syntax. Let a,b,c,x,y,z, ■ ■ ■ range over service (or public) channels; k,k' ,t,s, . . . over session (or pri- 
vate) channels; and e,e', . . . over public channels, and arithmetic and other first-order expressions. 






(inact) 


\P\Q 


(par) 


(vk)P 


(resSess) 


1 7 


(prefix) 


\a(k).P 


(repServ) 


if e then P else Q 


(cond) 


a(k).P 


(serv) 


\a(k).P 


(request) 


kl(x).P 


(input) 


\k\{e).P 


(output) 


k((k')).P 


(inputS) 


\k((k')).P 


(delegation) 


k>{lr.Pi}ia 


(branch) 


| k<l.P 


(select) 



Above, the class of prefixes y includes services (serv), replicated services (repServ), and service in- 
vocations (request); as well as in-session communication (input, output), receive and send of session 
channels (inputS, delegation), and branching (branch, select). The other operators are standard. The free 
session (service) channels of a process P, denoted by fsc(P) (fv(P)), are defined as usual. For the sake 
of simplicity, we have removed recursion. We conjecture that our results can be easily extended. 

Example 1 (Buyer-Seller protocol). We recall a variant of the Buyer-Seller protocol from @ where a 
buyer invokes a service buy at a seller for a quote about some product. In case of acceptance by the buyer, 
the seller will place the order by invoking a service ship at a shipper and forward credit card details. 
Finally, the shipper will send directly a confirmation to the buyer. Such a protocol can be described by 
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(RInit) 


\a{k). P | a(k). Q \a(k). P \ (vk) (P \ Q) 


(Init) 


a(k).P\a(k).Q^(vk) (P\Q) 


(Com) 


kl(x).P\k\(e).Q^P[v/x\\Q (etyv) 


(Del) 


k((k')).P\k{k')).Q^P\Q 


(Sel) 


k>{li:Pi} m \k<lj.Q^Pj\Q (jel) 


(Par) 


P^P' => P\Q^P' \Q 


(Res) 


P^P' (vk) P -> (vk) P' 


(Str) 


P=Q, Q^Q', Q'=P' p^p' 


(IFT) 


if e then P else Q^P (e-U-tt) 


(IFF) 


if e then P else Q ->• g (c JJ. ff) 



Table 1 : Reduction Semantics 



the process PB Uy e r | teller I ^shipper such that: 

ftuyer = tmy(&). ^ ? (^quote). if -^quote < 100 then k < ok. kl{x conf ) . else &<istop. 
^Seller = !buy(&). &!(quote). £>{ ok : ship(it'). £'((£)). 0, stop : } 
Shipper = !ship(£')- *'((*))• *!(conf).0 

Structural Congruence and Reduction Semantics. The structural congruence = is standard and is 
defined as the minimal relation satisfying the following rules: 



{i)P\Q = Q\P (ii)P\(Q\R) = (P\Q)\R (iii)P\0 = P 

(iv)P = Q (if P= a Q) (v)P\(vk)Q = (vk)(P\Q) (k?tec(P)) (vi)(vk)0 = 



The standard reduction semantics — > ifTTTl is reported in Table [T] where e JJ. v, taking expressions to 
some values, is unspecified. Note that we have adopted the original (Del) rule IfTTTl which requires 
the receiving side to "guess" what is being delegated (as in internal 7i-calculus |[T5l ). As a consequence, 
process &((&"))• P \ k((k'}. Q fails to reduce if k' is free in P, as we cannot rename k" to k' lfl9l . We shall 



see that such process violates transparency (see Remark 25 1. 

We conclude this section with two auxiliary notions. First, the notion of program, i.e., a process 
containing no free session channels and no occurrences of restricted session channels. 

Definition 2 (Program). A process P is a program whenever fsc(P) = and there exists P' = P s.t. P' 
has no syntactic sub-term (vk) Q. 

Second, sub-processes, i.e., sub-terms of a process: 

Definition 3 (Sub-Process). A process Q is a sub-process ofP iff Q is a sub-term of some P' = P. 



3 Session Typing 

Syntax. Session types abstract the way a single session channel is used within a single session. The 
structure of a session is represented by a type, which is then used as a basis for validating protocols 
through an associated type discipline. Their syntax is given by the following grammar: 

a ::=?(9). a \ 1(6). a \ &{/,•:«,} | e{/; : a,} | end 
6 ::= S | a 5 ::= basic | (a) 
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(T-Serv) 


r, a : (a) \- P > k: a 


(T-Req) 


r, a: (a) hP>A-i:a 




r, a: (a) h a(k).P><d 


T, a : (a) h a(k).P> A 




(T-IN) 


T,x:S\- P>Ak:a 


(T-Out) 


F\-P>Ak:a The 


:S 


T h k?(x).P> A-k: ?(S). a 


r h k\(e).Pt> A-k: \(S). 


a 


(T-InS) 


ri-/ , >A-fe:afe / :j3 


(T-Del) 


r h P> A -fc: a 




r h k((k')).Pt> A-k: ?(J3). a 


r h k((k')).P>A-k:\(P). 


a-k':p 


(T-Bra) 


T h P, > A • /t : a, 


(T-Sel) 


r \- P > A k: (Xj 




T h fc> {/,■ : P}, G/ > A • fc : &{/,- : a,-} 


r h fc</_/.P>A-Jk :©{/,•: 


a,} 


(T-Par) 


n-Pit> A; A! x A 2 


(T-Inact) 


a,- = end 




rhP, Ift >A!0A 2 


r 1- > fci : Ofi • . . . • k„ : a, 




(T-RServ) 


r, a : (a) \- P \>k: a 


(T-Res) 


r h P>A-A::_L 




T, a: (a) h !a(Jt).P>0 


T h (vk) P > A 




(T-Cond) 


The: bool r h > A 


(T-BOT) 


r h P > A ■ : end 




r h if e then P\ else P 2 > A 


r h Pt> A-k:± 





Table 2: Typing Rules for Session Types 



Here, 7(6). a and 1(6). a denote in-session input and output followed by the communications in a. The 
type 6 abstracts what is communicated: a basic value (basic denotes basic types, e.g., int or bool), a 
service channel of type (a), or a session channel of type a. Finally, &{/, : a,} and ©{/,- : a,} denote 
branching and selection types, and end is the inactive session. The dual of a, written a, is defined as 



7(6). a = \(6).a 1(6). a = 7(6). a 

&{/,• : CCj} = ©{/,- : a,} ®{h : a,-} = &{/; : a,-} end = end 



Environments, Judgements and Typing Rules. We define two typing environments, namely the ser- 
vice and the session typing. 



(Service Typing) 


T ::= r, a:S | 







(Session Typing) 


A ::= A • k : a 


| A • k:± 






The service typing fixes usage of service channels, whereas session typing fixes usage of session chan- 
nels. In A, a session channel k may be assigned to _L rather than a session type a. This is to note that the 
two sides of session k have already been found in a sub-term (therefore k cannot be used further). When 
convenient, we treat both environments as functions mapping channels to their types. 

Judgements have the form r h P > A and are defined in Table [2] The rules are all standard ifTTTl 
except from (T-Serv). As mentioned in the introduction, the fresh channel k is the only session channel 
present in the session environment for the subprocess P. (T-BOT) is necessary in order to guarantee 
subject congruence [ 19 ]. We remind the reader that, in (T-Par), Aj x A2 (duality check) holds whenever 
A\(k) = A2(k) for every k £ dom(Ai) n dom(A2). Moreover, Ai A2 (assign _L when both sides of a 
session have been found) is defined as A\ + A2 + Uytedom(Ai)ndom(A2) 

k:±. 
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Example 4. The Buyer-Seller protocol from Example [T] is clearly well typed according to the rules in 
Table |2[ In fact, the judgement r h /fe uyer | Pseiier I ^shipper > holds whenever T contains: 

buy : !(int). &{ ok :!(string). end, stop : end } 
ship : ?(!(string)). end 

Clearly, a process well-typed according to Table|2]is also well-typed according to the standard typing 
iPTTl . As a consequence, it is straightforward to obtain the standard subject congruence/reduction results. 

Theorem 5. LetT h Pt> A. Then, (1)P = Q implies T h Q > A; and (2) P -> P' implies T h P > A. 



4 Session Dependency Graphs 

In this section, we recall, generalize, and develop session dependency graphs, introduced in Q for a 
language dealing with exceptions and without delegation. In subsequent sections, we shall use them to 
establish progress for a class of well-typed processes. 

Informally, given a restriction-free process P = J\ \ ■ ■ ■ \ y n where each y,- is called a "thread", P 's 
session dependency graph has a node for each thread y, and edges between threads y, jj if the two share 
a free session channel. Observe that a thread y can be blocked on a session channel k, waiting for y ; - 
to synchronize on k, only if the two have an edge between them. It follows that a well-typed process 
is deadlocked only if its session dependency graph contains a cycle (we prove this result formally in 



Theorem 23 ). Notice how this approach to deadlock detection differs from the focus on the ordering of 
the channels usage found frequently in the literature, e.g., in lfT3l l9l. 

Definition 6 (Session Dependency Graph). Let P be well-typed process. The session dependency graph 
W(P) = {JY {P\${P\££p) is the labelled unoriented graph^with nodes JY{P), edges ^{P) and labels 
Jz^p : JY(P~) —> &(N) defined inductively on the term structure ofP as follows: 



Sf(O) = 


(0, 0, 0) 




((vifc) P) = 


(<sV(P), £(P), X P \{k}) 




Sf(y) = 


(., 0, [.^fsc(y)]) 




9(P\Q) = 


(Jf(P) + JT(Q), S(P) + S{Q) + I. 


pe^(p) (p,q), J?p + J?q) 



Here, we take (Jf P \ {k})(j>) = Sf P (j>) \ {k}. 

The definition of graph is insensitive to structural congruence: 
Lemma 7. Let P, Q be well-typed processes s.t. P = Q. Then Sf (P) ~ ^(Q). 

Proof. By cases on the definition of =. □ 

Example 8. Consider the following process. 

k'l(x). k"l(x) | k"l(x).k'l(x) (3) 

The session dependency graph of this process has two nodes, both labelled by {kf, k"}, and thus has two 
edges between those two nodes: 



'Technically, a graph is here a 5-tuple (N,E,L,dom,cod), where the latter two are maps dom,cod : E —¥ N taking edges to 
their domain and co-domain respectively. We elide these maps; their values shall always be clear from the context. 
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Thus, the graph has a cycle. Consider the same process, only restricting k! ,k". 

(vk'k") (k'7(x). k"l(x) | *"?(*). k'\(x)) 
Its graph has the same node and edges, but both nodes are now labelled by 0. 



(4) 




Obviously, also this graph contains a cycle. Now, prefix the process with a service. 

a(k). {vk'k") (k'?(x). k"l(x) | *"?(*). k'\(x)) (5) 
This process has a graph with a single, unlabelled node and no edges which, obviously, contains no cycle: 



Example 9. The graph of PBuyer I ^Seller | ^shipper in Example [T] has clearly three unlabelled nodes. 
However, after one step of reduction, we have: 



(6) 



(V*) kl{x 

quote 

). Q x | k\ (quote). Q 2 \ ^Shipper 



where Q\ and Q2 are the remainders of buyer and seller's processes. The session interdependency graph 
of the process above becomes (restriction removes labels): 




If we further reduce Q until also shipper is invoked, we obtain the process: 

(vk,k') ( k?(x COQf ).0 I k'((k}}.0 I £'((£)). jfc!(conf).0 



whose graph is: 




Notation. To ease the presentation, we shall frequently say, e.g., "p is a node of W(P)" and "p is 
labelled by k in W(P)" rather than the less readable "p G <jV{P)" and "k G ^£p{p)" . Moreover, when no 
confusion may arise, we drop the "in/of W(P)", saying simply, e.g., "p is labelled k". 

We conclude this section by noting two important facts about session dependency graphs. First, the 
combinatorics of typing. 
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Lemma 10. Let T h P > k\ : J_ • . . . -k n :_L : Gfi ■ . . . • : Gf m . 77ien f i J/or eac/z i <mat most one node 
p of&(P) is labelled k\, and (2) when R contains no top-level restrictions W(P) has at most n edges. 

Proof. By induction on 7?. □ 

Second, the structure of programs. Recall from Section[2]that programs have no free session channels 
and no non-trivial restricted session channels. 

Proposition 11. Let P be a well-typed program and Q any of its sub-process. Then @(Q) has no edges. 
Proof. Note r h P > for some T. Let R be a sub-process of P. Then, also Fr h R > Ar for some Fr, Ar. 



By Lemma 10 it is enough to prove that every k G dom(A«) has Ag(k) / _L. We show that A#(fc) =_L for 
some k would contradict r h P > 0. But for this, it is sufficient to prove that every rule preserves k : _L 
in A from premises to conclusion. This is trivial for all rules but (T-Res) and (T-Serv). Now, (T-Res) 
does not apply to programs and their sub-processes, and (T-Serv) accepts no k : _L in its premises. □ 



5 Transparent Processes 

In this section, we define the notion of transparent process and investigate its properties. In particular, we 
prove that every program is transparent and that transparent processes are closed under reduction. Along 
the way, we get to thoroughly exercise session dependency graphs, exhibiting their particular strengths. 
These results pave the way for proving that every transparent process has progress in the next section. 

We define the transparent processes as those whose graphs are, essentially, "everywhere acyclic". 

Definition 12 (Transparent Process). Let P be a well-typed process. We say that P is transparent iff every 
sub-process Q ofP has @(Q) acyclic. 

Example 13. Neither the process of Q, of Q nor of ([5]> are transparent. The former two because they 
themselves have cyclic session dependency graphs, the latter because it contains a sub-process which has 
(namely Q). However, the buyer-seller system from Example[T]is transparent. 

Transparent processes are closed under structural congruence: 

Lemma 14. Let P, Q be well-typed processes s.t. P = Q. Then P transparent iff Q transparent. 

Proof. By cases on the definition of =. □ 

The rest of this section is dedicated to proving our first main result, i.e., transparency is preserved by 
reduction. In the next section, we will use these results to prove that transparent processes progress. 

In order to see that a reduction P — ^ P' preserves transparency, we need to relate the session depen- 
dency graph of P to the one of P'. Informally, we make the following observations: 

1 . The set of free session channels of a process is non-increasing under reduction. Thus, even though 
the nodes and edges of ^{P) and W(P') might be very different, the labels of W(P') contain only 
names also in labels of ^S(P). 

2. We can speak of a label k of W(P) having a path to a label k! in both graphs if there is a path from a 
node labelled k to a node labelled k' . Thus, we arrive at the invariant: if k has a path to k' in ^{P'), 
it also had so in W(P). This property is enough to ensure transparency preservation. 

We proceed to define precisely this notion of a path from k to k' . 
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Definition 15. Let P be a well-typed process, and let k,k' € fsc(P). We say that "k k' in &(P)" iff 
there exist nodes p,p' in (P), labelled by k,k! respectively, s.t. there is a path from p to p' in &(P). 

Observe that the "— -w — " relation is reflexive (because k,k' need not be distinct and there is always 
a path from a node to itself) and symmetric (because the graph is). Moreover, because any two nodes 
p,p' sharing a label k will have an edge between them, we could equivalently have defined "k k! iff 
for any two nodes p, p' labelled by k, k', there is a path from p to pT It follows that — ~» — is transitive. 

Remark 16. One of the key insights carrying the proof that reduction preserves transparency is that 
— ~~» — is non-increasing under reduction of transparent processes. It is instructive to see this for a 
particular case involving delegation. Consider the following reduction: 




Yi 72 73 tf Y 2 % 



Before reduction, 71 and 7? share session k, and 72 and 73 share the session k! . After reduction, session k 
has moved, and is now between 71 and 73. Graphically, the session dependency graphs change as follows: 




However, as it is immediately obvious from the graphical representation, connectivity of k and k' did not 
change: they met at exactly one node before reduction, and they meet at exactly one node after reduction. 
This is the essential reason why delegation cannot introduce a cycle in the session dependency graph. 

Theorem 17. [Preservation of transparency] Let R be a well-typed process s.t. R —> R'. Then 

1. If &(R) is transparent then so is ^(R)', and 

2. ifk-^k 1 in R, then also k-fr k' in R'. 

Before the proof, observe that part (2) is vacuously true for k,k' g" fsc(P). 

Proof (sketch). Technically, the proof proceeds by induction on the derivation of R — > R'. Hereby, we 
discuss the most interesting cases. 

• (INIT) a(k). P I a(k). Q (vk) (P \ Q). 

1. Because %?(a(k). P \ a(k). Q) is transparent, so are &(P) and ^(Q). Thus, in order to prove 
&((vk) (P I Q)) transparent, it is sufficient to prove it acyclic. By (T-Serv), there exists a 



s.t. T \- P t> k: a. Thus, by Lemma 10 the nodes of £f(P) have empty labelling, except for at 
most one node; and that this unique node is labelled k (if it exists at all). Now note that there 
exists also A' s.t. f h Q > A' • k : a. By linearity of the session environment, and Lemma 



10 we find that at most one node of <£(Q) is labelled k. Thus &((vk) (P | Q)) is formed by 
adding at most one edge between acyclic graphs 5f (P) and ^{Q) and is hence itself acyclic. 
2. It is sufficient to prove k' k" for any k',k" G fsc(P). Observe that ^(a(k). P \ a(k). Q) 
has exactly two nodes, one in ^(a(k). P) and one in W(a(k). Q). As fsc(a(&). P) is empty by 
typing, it follows that the free session channels of the R are fcc(a(k). Q). But then the node 
&(d(k). Q) is labelled by every free session channel name of R, whence trivially, k' k" . 
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• (Com) M(x).P\kl(e).Q->P[v/x]\Q (etyv). 

1. As <g(R) = &(ffl(x). P | kl{e). Q) is transparent then also &(P)[v/x] and &(Q) are transpar- 
ent (the former because neither v nor x are session channel names). It is now sufficient to 
prove that the graph <3{R') = &(P[v/x] \ Q) is acyclic. Now, assume for a contradiction that 
@(R') contains a cycle. Because ^(P) and £f (<2) are transparent and thus acyclic, it must be 
the case that there exist two distinct edges connecting (P ) and W(Q). Suppose wlog that 
these edges arise from k',k" with k',k" G fsc(P[v/jc]) Pi fsc(Q), and k! k" k! . As x is 
not a session channel name, so also k',k" G fsc(P). But then also k',k" G fsc(fc?(x). P) and 
k' ,k" G fsc(£!(e). 2), so a cycle is already in W(R). Contradiction. 

2. We prove again that k! fc" in Sf (/?) for any k' ,k" G fsc(P). Observe again that W(R) = 
^{kl{x). P | k\(e). Q) has exactly two nodes, this time with an edge between them induced 
by k. But then <£(R) is in fact connected, so trivially k' -w k" in <£(R). 



1. By assumption 7? = k([k'J). P \ k([k'}. Q transparent, so also P, Q is transparent. It is now 
sufficient to prove that P \ Q is itself acyclic. Suppose it is not. Both P, Q transparent and 
hence acyclic, so P | Q cyclic must mean that there exists k" ,k"' G fsc(P) nfsc(<2). We must 
have, k' = k" or k' = k'", or R is itself cyclic; assume k' = k'". Thus k',k" G fsc(P) n fsc(g). 
But because R is well-typed, we must have k' G" hc(Q); contradiction. 

2. Identical to the (COM) case. 

• (Par) P->P' => P | Q -> P' \ Q. 

1. Because P | 2 transparent, also P, 2 transparent. By induction hypothesis, also P' transparent, 
so it is sufficient to prove P' \ Q acyclic. Assume for a contradiction that P' \ Q contains a 
cycle. As P' , Q both acyclic, there must exist two edges between £f (P') and &(Q). Assume 
wlog that these edges are induced by distinct k,k' G fsc(P') nfsc(<2) with k k' ~*~>q k. 
Because P — > P' implies fsc(P') C fsc(P), we find k,k' G fsc(P), so by induction hypothesis, 
k ~~*p Id, and by composition k k! k, and a cycle is akeady in P | Q. Contradiction. 

2. We prove the contrapositive: Supposing k ~***p\Q k' for k,k G fsc(P | Q), we will see that 
k^ P \Qk' . There must exist a sequence k=ko,...,k n = k' with each i having either ki ~~>p' 

or it, ~^>q kj + \. By the induction hypothesis, each ki ~^pi kj + \ implies kj ^? so, by 
stringing the path back together and noting that ~> is transitive, we find k~^> P \Qk' . □ 

6 Progress 

In this section, we give our main technical results: that every transparent process has progress; and that 
all programs are transparent. Intuitively, a process has progress if it cannot reduce to a process that is 
"stuck". We shall follow [9] in taking a non-trivial process to be stuck if it is irreducible in any context. 
Thus, we do not consider a process stuck if it needs a service or a counter-party to an active session. In 
the sequel, a process contains no live session channels whenever all its session channels are bound by 
(repServ) or (serv). Moreover, leti? [•] denote a reduction context, i.e., E[-] ::= • | E[] \ P \ (vk) E[-]. 

Definition 18 (Progress). A process P has progress if P — >* P' implies that for every reduction context 
E[-] with P =E[P"], whenever P" contains live channels then there exists a process Q s.t. 



• (DEL) k{k'}. P | k(k')). Q^P\Q 



(a) 2A 

(b) P" | Q is well-typed 



(c) P"\Q^R 

(d) R has progress 
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Observe that processes with no live channels have progress. 

This very strong but somewhat intentional definition of progress captures the intuition that "a stuck 
process is one where no thread is permanently blocked". For a process P to have progress, any process 
P' reachable from P must be either without any live channel or such that any of its top-level sub-processes 
P" can be composed in parallel with a process Q and: (a) Q is stuck; (b) P" \ Q is well typed, i.e., Q 
only provides services, requests or counter-parties to active sessions in P"; and (c,d) P" \ Q can reduce 
to a process that also has progress. The focus on sub-processes is to make sure that non-terminating 
processes do not automatically have progress, e.g.,: 

#?(*). *"!(*) | k"l{x).k'\(x) | \a{k).d(k) \ a{k) (7) 

Remark 19. The definition above differs somewhat from the ones found in the literature, e.g., [012. 
The present one has the distinct advantage that is independent of the means chosen to establish progress. 
Other works use a special typing system to establish progress already in the definition of progress it- 
self. For instance, the processes ([TJ and ([2]) on page 15 intuitively have progress: all of their sessions 



run to termination when given access to appropriate services. And, both processes have progress wrt 
our definition. However, neither has progress as defined in O, where the definition of progress is in- 
extricably linked to the typing system guaranteeing it, and both of those processes are untypable in 
that system (our definition requires typability for guaranteeing in-session linearity but it does not re- 
quire transparency). As a further example, write Pi for the k'?(x). k"\(x) \ k"?(x). k'\(x) and P2 for the 
k'l{x).k"\{x)\k'\{e).k"l{x)m 

k>{ h\Pi h-Pi } I k<l 2 



Again, this process intuitively has progress — it can only run to termination — , it is included by the 
present definition of progress, but not by the one of O. Note that the process above is not transparent. 

Having established that transparency is preserved by reduction, we proceed to show that a well-typed, 
transparent process has progress. In particular, we need to show that we can build the additional process 
Q found in the definition of progress. Our idea is to do that by exploiting the type of a given process. 
The next result shows that every session type is in fact inhabited, i.e., from a session type a we can 
reconstruct a process which behaves exactly as specified by a. In the sequel, we shall assume that all 
basic types are inhabited. For convenience, we further assume that they are all inhabited by the same 
value "1"; however this assumption is easily rendered unnecessary. 

Lemma 20 (Every session type is inhabited). For any session type a and session channel k, there exists 
a transparent process \a\ k with h [a]* > k : a, defined in Figure^ 

In the above lemma, the first three cases reconstruct a process that inputs a value, a service channel and 
a session respectively. (OUTVAL), (OUtServ) and (OUTSESS) are their dual counterpart. (inSum) and 
(OUtSum) are external and internal choice while (END) generates the inactive process from the end type. 

Example 21. Here is an illustrative example. 

[?( ?(basic). !(basic) ). I(basic)]* = *#'))■ (^K 1 ) I 
Note how received values are never used and how the process only ever sends "1". 
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(inVal) 


[?(basic).a] 


* = *?(*). [a] 




(inServ) 


[W»-«J* 


= *?(a).[aj* 




(inSess) 


[?(/3).af = 


£((*'))■ ([a]* 


[PI*) 


(outVal) 


['(basic), o] 


* = *!(l).[a] 


c 


(outServ) 


[!«/*»• «]* 


= *!<«>. ([af 


1 !«(*0- []3f ) 


(outSess) 


[!(/?). a]* = 


(v*0 TO) 1 


[a]* 1 03f) 


(inSum) 


[&{/* : a,-}f 


= *>{// :[al' 




(outSum) 


[0{/i : a,-}f 


= *</i.[ai]* 




(END) 


[endf = 0. 







Figure 1: Translation [— ] 



Example 22. In the buyer-seller protocol, the session type of the session buy reported in Example [4] 
is !(int). &{ ok :! (string), end, stop : end }. According to the construction from the previous 
Lemma, for some k, we can build the process k\(l).k>{ ok : kl("a"). 0, stop : end }, where we have 
chosen to inhabit string by the string "a". 

Knowing that every session type is inhabited, we can prove that well-typed, transparent processes 
either have no live channels or can reduce given the proper environment. 

Theorem 23 (Reduction of Transparent Processes). Let P be a well-typed, transparent process. Either 
P has no live channels, or there exists some Q -ft such that P \ Q is well-typed, transparent and P \ Q — h 

Proof. If P has no live channels then we are done. Also, if P — > then also P | — >, ft trivially and 
clearly P | transparent. So assume P ft. Assume wlog P = (vk) (Yi \ ■■■ \ y n ) and Y h P > A. 



Suppose first that for some i, ji is a service invocation ji = a(k). Q. Then, by Lemma 20 there exists 
some T' with r,T' h P \ a{k). [r(a)J* o A; clearly P \ a(k). [r(a)J* is transparent and reduces. 

Suppose instead that no j, is such a service invocation. Now consider the case where for some 
k, k : a € A. Clearly k k, so again by Lemma 20 P \ \a\ k is well-typed and transparent, and this 



process clearly reduces. So, consider instead (and finally) the case where every k mentioned by A in 
fact has k : _L G A. We shall arrive at a contradiction, demonstrating that this typing is not possible for 
P transparent with P -ft. Observe first that, up to labels, 9?(P) ~ 5^(yi | • • • | /„). We shall treat each % 
interchangeably as a process and as a node of this graph. Suppose wlog that no /; has no live channels 
(otherwise, observe that /; would contain no free session channels, whence we may conduct the following 
argument in the sub-graph of those y that have live channels). Thus, each jj has an enabled action on 
some k[. Because P ft and P well-typed, the kj are pairwise distinct. Because P well-typed, for each i, 
there exists a unique j s.t. ki € fsc(y 7 ). But then &(P) has n nodes and at least n edges, and must thus 
contain a cycle, contradicting transparency of P. □ 

Theorem 24. Well-typed and transparent processes have progress. 

Proof. Suppose P is well-typed and transparent. Moreover, let P — >* P' and P' = E[P"]. Observe that by 
definition also P" is well-typed and transparent. Now, if P" has no live channels, we are done. Otherwise, 
by Theorem |23j there exists Q s.t. P" \ Q is transparent and well-typed, and P" \ Q — > R for some R. By 
Theorem[5]2, this R is also well-typed, so by Theorem 17 R is also transparent. □ 
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Remark 25. In Section [2j we discussed that rule (Del) can cause a deadlock with a processes of the 
form &((£"))■ P I Q- However, this process is not transparent because its graph is not acyclic. 

Recall from Section [2] that a program is a process with no free session channels and no non-trivial 
occurrences of session channel restrictions. 

Corollary 26. Well-typed programs have progress. 

Proof. By Proposition[TTJ every well-typed program is a transparent process. By the preceding Theorem, 
every transparent process has progress. □ 

Example 27. Example [T] buyer-seller, is a program, and so transparent, whence it has progress. 

We conclude by remarking on the complexity of the implied program analysis. If a program is well- 
typed, transparency and thus progress comes for free courtesy of Corollary|26j It can be checked whether 
a process is a well-typed program in &{n), where n measures the number of nodes in the abstract syntax 
of the process; even if we have to also ensure that the process contains no restrictions. 



The broader class of transparent processes has progress by Theorem 23 The session-dependency 
graph of a process is computable in Gicp) where c is the number of distinct service-channels, bound 
or free, and p is the number of top-level prefixes. Deciding acyclicity is linear in the number of nodes 
and edges, thus in time 0(p + c) C &(pc). Transparency requires this computation at every sub-term 
of the graph; however, it is clearly sufficient to consider every maximal parallel product sub-term (i.e., 
for P | Q, no need to consider P , Q separately). Thus, letting /?, be the width of the ith maximal parallel 
sub-term (that is, n for P\ | ■ ■ ■ P n ), we can compute transparency in ^(Z/p/c) C &{nc). In summary: 

Theorem 28. A well-typed process P can be checked for transparency in time 6{nc), where n is the 
number of nodes in the abstract syntax of the process, and c is the number of distinct live channels. 



7 Conclusions 

We have provided a simple and efficient static analysis for guaranteeing progress for web services based 
on session types. The advantage of our approach is that standard session typing (with the restriction on 
the typing of services) is enough for guaranteeing progress of programs without any further analysis of 
processes. Our result is based on the development of a technique which relies on session interdependency 
graphs. In particular, we have shown that transparent processes, those processes with an acyclic session 
interdependency graph, have progress based on the fact that transparency is preserved by the reduction 
semantics and it guarantees that live channels eventually react. 

The main limitation of this work is the lack of service channel restriction. The main challenge 
with introducing such a syntactic construct is in the definition of progress. In fact, processes such as 
(va) (a{k').kl(x) \ \a(k')^j should satisfy the progress property. However, our current definition would 
address the sub-process a(k'). k?(x) which, taking restriction into account, has no progress. We leave 
this issue as future work conjecturing that, under some small assumptions, transparent processes with 
service restriction also have progress. Additionally, we plan to address two further points. Firstly, the 
graph representation of session interdependency has proved to be a very useful tool for investigating 
the properties of a system. We believe that this approach can lead to further results that can go beyond 
applications to progress e.g. secure data flow. Secondly, the work in Q provides a typing system for 
guaranteeing progress in multiparty sessions. A natural question is to investigate whether the techniques 
used in this work can be reused in the multiparty session setting with similar results. We are optimistic 
that this might be the case. 
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